I just want to find out if this was you would you disclose them or just ignore because it not worth the hassle ? also how would you disclose them I have sent email asking if they have security team but no reply so far.

How are you finding these issues? How is it you know where things are stored, and how they're stored?

This isn't exactly something you should randomly be looking at websites for, if you're not asked / contracted to...

That said, depending on the site, you could contact them to resolve it. However, be warned that they might wonder why you were poking around their site to begin with. Some folks might not take your actions lightly, even if well-intentioned... So it's up to you.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

I would also be hesitant to start the conversation with, "Do you guys have a security team?"

That would, first of all, put me on the defensive from the get-go. Secondly, I'd probably expect to hear you say something along the lines of, "Well, if you don't, I can help you out." After disclosing a security vulnerability unsolicited, this can be construed as unethical behavior.

well I was using a site but forgot my password and noticed it got sent to me as plain text so would be a really good indication that they not being encrypted in database.

and again was using a site with my username but could not remember my password noticed the error message telling me username was valid but password was not and on same site I decide to see what info they had on me saw the bit to add credit card so made a number up to see and when I went back into it the whole number was on show not even like **********1234 so would assume they storing CC wrong

so was not really looking for the issue they just stood out when using the normal features of the site.

I feel as ethical hacker I should tell them but on the other side I feel they think I am after something or been trying own them or something and end up doing more hard than good.

Either way, it's up to you if you want to discuss with them, or not. Again, just note, that if you weren't asked or contracted to analyze them, you'd better be ready to play really dumb when they ask you why you were posting dummy credit card numbers, etc. They could 'possibly' interpret that as credit card fraud, as well. (Depending on where you stored it, and why...)

Just be cautious...

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

I suggest you contact them in an officially looking e-mail where you point out that you haven't attacked them but rather observed how their website function and that the current structure is insecure. Make sure you point out you're doing it for free and that you're not selling any services. (Otherwise they might see it as blackmail, I've experienced that on a few occasions where I even stated it was free.)

Also, you can write to the webmaster or perhaps if they have a security department those as well, but usually you get the fastest response and activity via HR. When I've contacted administrators directly I've mostly been met with hatred or ignorance. In some cases my direct contact with e.g., the webmaster has been much appreciated though.

Some companies may take this as a personal insult or attack as well, so be prepared for whatever response they come up. Some will also say they're going to fix it, and then it won't get fixed, even a year after, and we're talking about quite serious vulnerabilities here too.